2009/2/9 Stuart <stut...@gmail.com>:
> 2009/2/9 Michael Kubler <mdk...@gmail.com>:
>> These days SHA should really be used instead of MD5, and you should be
>> SALTing the password as well.
>> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
>
> Good advice.

Absolutley. I used mysqls md5() function only as an example.

> I would also advise against stripping and trimming
> anything from passwords. By removing characters you're significantly
> reducing the number of possible passwords.

Surely, the stripping should only be done when when magic_quotes is
enabled! (e.g. Your Server makes \' out of ').
Trimming could be left out but it minimizes user errors and users
pretending to know their password.
(Like copy/paste from a passwords-file with added spaces on the end, etc..)

Regards

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to